Friday, July 31, 2009

WebScarab Template - DOS Testing

The series of WebScarab templates continues. Today's entry is for the "Scripted" portion of WebScarab . The below code will allow you to send numerous parallel requests to your target. This is effective for testing how an application handles a large number of requests for some sort of intensive operation. As always, I provide this information to help the authorized security assessors. For all others, you are on your own.

FYI, there are several other WebScarab templates. You can find links to them on the right side of the page and also included below:

-Michael Coates

/* ======================================= */
/* Provided by */
/* ======================================= */

import org.owasp.webscarab.model.ConversationID;
import org.owasp.webscarab.model.HttpUrl;
import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;

// define subroutines BEFORE the main part of the script executes,
// otherwise they won't be found

//printRequestSmall method
// Optional use this if desired by calling within editable section
void printRequestSmall(Request request){
out.println("Req "+i+" of "+TotalRequests+" to "+request.getMethod()+" "+request.getURL());

//printRequest method
// Optional use this if desired by calling within editable section
void printRequest(Request request){
String[] headers=request.getHeaderNames();
for(String header : headers){
out.println(header+" : " + request.getHeader(header));

//printResponse method
// Optional use this if desired by calling within editable section
void printResponse(Response response){
//print the headers
String[] headers=response.getHeaderNames();
for(String header : headers){
out.println(header+" : " + response.getHeader(header));
//print the content
byte[] data=response.getContent();
String data_response=new String(data);


// call this to fetch them in parallel
// the number of simultaneous connections is unbounded
// requests will be sent as fast as possible until reaching the
// limit set in the section at the end
void fetchParallel() {
while (hasMoreRequests() || scripted.isAsyncBusy()) {
while (hasMoreRequests()) {
request = getNextRequest();

if (scripted.hasAsyncResponse()) {
while (scripted.hasAsyncResponse()) {
response = scripted.getAsyncResponse();
request = response.getRequest();
} else Thread.sleep(100);

// a counter, so we can know when to stop
int i=0;
int TotalRequests;
boolean hasMoreRequests() {
return i < TotalRequests;

***************** USER EDITABLE SCRIPT STARTS HERE ***************************
* *
* Of course, you can modify the bits above, but you shouldn't need *
* to, if you follow the algorithm suggested below. *
* *
//====Set the number below equal to the total number of requests====

// modify this routine to construct the next request - no changes needed
Request getNextRequest() {
// create a new request copied from the template
Request request = new Request(template);
return request;

//====Edit this section====
// create a template that contains the basics
Request template = new Request();
template.setURL(new HttpUrl(""));
template.setHeader("Accept"," text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
template.setHeader("Accept-Language"," en-us,en;q=0.5");
template.setHeader("Accept-Encoding"," gzip,deflate");
template.setHeader("Accept-Charset"," ISO-8859-1,utf-8;q=0.7,*;q=0.7");
template.setHeader("Keep-Alive"," 300");
template.setHeader("Proxy-Connection"," keep-alive");
//template.setHeader("Cookie"," Some cookie values here");

//===Fetch in Parallel===

Friday, July 24, 2009

CSRF Tokens Are Not Broken

You may have just read this story about a new attack against CSRF Tokens. The attack is a clever combination of the old CSS history attack against today's CSRF defense token. I give "Inferno" credit for this new discovery and applaud the creativity and technical skills which keep everyone in the industry on their toes.

However, CSRF tokens are still the most effective way at preventing CSRF attacks. This attack is a brute force attack against the CSRF token. As the article states,

[The attack] was able to find two five-figure tokens in under seven minutes.
Luckily, the normal CSRF token is much more complex. For example, here is a token generated through ESAPI (ie CSRF Guard)

A token with this level of complexity would not be brute forced in any reasonable amout of time. And consider this, if we could brute force this sort of value in a resonable time frame, then we would brute force the sessionID instead and just take over the user's session with the application!

-Michael Coates

Sunday, July 19, 2009

IE 8 Anti-XSS A Bit Overblown

IE 8's anti-xss filters may help protect users. However, its pretty strict and catches all sorts of random things. It looks like it functions on GETs only - POSTS are excluded. Based on this it would protect users against reflected XSS issues only. Any sort of stored XSS would not be mitigated by this browser control.

Here is an interesting look at some of the false positives:

Firing on just "<script>" in the url
Google: Search for <script> using the normal website. It will work.
But try going directly to the URL
IE 8 XSS filter kicks in.

Here are a few more
Firing on javascript:alert(document.cookie)
Ok, maybe its looking for any sort of javascript in the URL. Even though no real attacker would just pop-up a message box with the cookie.

Firing on javascript:a
Hmm, seems like it fires on "javascript:" followed by anything.

Firing on ";alert(123);
Maybe this is someone looking for an xss issue, but that is stretching it. Again, no real attack would use this.";alert(123);

Firing on ";abc(123);
Oh, nevermind, the far reaching filter fires on any JavaScript looking method following "; Doesn't matter if it actually exists or not.";abc(123);

So it looks to me that the xss filter is firing pretty liberally. The problem will begin when more people adopt IE 8 and websites start to see this filter breaking legitimate functionality. At that point the websites will begin disabling the xss filter by adding the following response header.

X-XSS-Protection: 0

That's right. The website has the ability to disable security controls setup in your browser. Seems a little bit of an odd model right? So don't go and rely on this control for your security. If you want to take action to protect yourself then I recommend Mozilla and noScript plugin.

Also, if you are conducting security reviews and need to use IE 8 then check out this post on automatically disabling IE 8 xss with WebScarab's bean shell.

-Michael Coates

Thursday, July 16, 2009

WebScarab - BeanShell to Disable IE8 XSS

Using WebScarab for security testing? Here's how to disable the IE8 XSS filter. This is a good move since the IE8 filter is filled with so many false positives that its impossible to perform a fair test unless this feature is turned off.

Add the following to WebScarab's BeanShell. This can be found under Proxy->Bean Shell. Make sure the enable box is checked and hit commit.

/* Please read the JavaDoc and/or the source to understand what methods are available */
/* Template provided by */

import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.httpclient.HTTPClient;

public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException {

//=====Make changes to the requests=========
//=====Remember: These changes will be applied to all requests while the bean is enabled. ============

//Send the request and fetch the response - this is required for requests to work
Response response = nextPlugin.fetchResponse(request);

//=====Make changes to the response=========
//Modify the response to set the anti-xss header for IE8

return response;

-Michael Coates

Wednesday, July 15, 2009

Users Don't Value Their Own Data prt 2

There must be chemicals in the coffee telling people not to protect their data. A few weeks back I talked about the guy who applied for a credit card over the phone while in the middle of a busy Caribou (that's a coffee house for those not living in the Midwest). Needless to say, I learned his whole life story and all PII possible.

Well, today I walked into my local caribou and was a bit irked that one woman had spread out all sorts of papers over the single large table. Normally reserved for large groups or shared by several people, she had taken the whole thing. Didn't even order a drink. Anyways, out of curiousity I glanced at the paperwork and noticed it appeared to be financial records of some sorts - invoices, investement statements, bank statements, etc. Based on the sheer quantity of documents I assume she works in the financial industry and these are the records of her clients.

So whats the security concern? Maybe someone could look over her shoulder and see the documents? True, but that's not what prompted me to tell the story. After just a few minutes of sitting here I notice the women stand up, walk over to the trash and just dump a bunch of records in the trash can! From what I could tell, they were statements from a Fidelity investment account.

Once again, despite our best efforts to protect users, we can never protect them from their own stupidity and sheer carelessness for security.

-Michael Coates

Tuesday, July 14, 2009

Poor Man's SSL

Sometimes the 9.95 SSL certificate is just too expensive. But hey, at least they are a "thawte secure site".

-Michael Coates

Monday, July 6, 2009

Picks for Black Hat 2009

If you been following the black hat course training and speaker page then you probably have realilzed that there has been a large number of changes. From selecting speakers in a delayed two group selection to canceling a large number of training classes, I can only presume the economy and limited budgets have been at play.

None-the-less, here are some talks that look interesting and I'd recommend you check out.

Day 1
1000 - 1100Billy Hoffman & Matt Wood: Veiled - A Browser Based Darknet
1115 - 1230Nathan Hamiel & Shawn Moyer:Weaponizing the Web
1345 - 1500Moxie Marlinspike:More Tricks for Defeating SSL
1515 - 1630Jeff Williams:There's a Fox in the Henhouse
Day 2
1000 - 1100Zane Lackey & Luis Miras:Attacking SMS
1345 - 1500Haroon Meer:Clobbering the Cloud!
1515 - 1630Alexander Sotirov & Mike Zusman:Breaking the Security Myths of Extended Validation SSL Certificates

-Michael Coates